Permission Issue with the Bundled Cloud Foundry: Can't Create Service Instances

[mhlandry]

I'm trying to get the introduction to spring cloud
https://spring.io/blog/2014/06/03/introducing-spring-cloud app working
with an instance of Cloud Foundry that I'm running on my machine. I tried
to push the app and I get this message:

    Could not find service postgres-service to bind to hello-spring-cloud

That makes sense to me so I started tracking down the postgres service.
When I run cf marketplace, I get:

    service      plans     description
    mongodb      default   MongoDB NoSQL database
    postgresql   default   PostgreSQL database
    rabbitmq     default   RabbitMQ message queue
    redis        default   Redis key-value store

When I try to create a service instance of the postgresql service and I
get:

    $ cf create-service postgresql default postgresql-service
    Creating service instance postgresql-service in org xyz / space development as admin...
    FAILED
    Server error, status code: 500, error code: 10001, message: Service broker error: Not authorized

I have tried running cf create-service-auth-token postgresql core 123 but that didn't seem to help with the Not Authorized message.

Here are the permissions for the space:

    Getting users in org xyz / space development as admin

    SPACE MANAGER
    admin

    SPACE DEVELOPER
    Admin

The cf service-access command doesn't yield anything interesting:

    $ cf service-access
    Getting service access as admin

Then it shows nothing on the terminal. So I tried to enable service access

    $ cf enable-service-access postgresql
    Enabling access to all plans of service postgresql for all orgs as admin...
    All plans of the service are already accessible for all orgs
    OK

For the life of me, I can¹t figure out what's going on. Any ideas about what's going on?

[githubfp]

having exactly same problem described by mhlandry
the message says "Incorrect Usage" thought I do have to right syntax ? any idea would really help me out! thanks in advance

vagrant@bosh-lite:$ wget https://cf-contrib.s3.amazonaws.com/boshrelease-cf-services-contrib-6.tgz
vagrant@bosh-lite:$ bosh upload release boshrelease-cf-services-contrib-6.tgz

vagrant@bosh-lite:$ git clone https://github.com/cloudfoundry-community/cf-services-contrib-release
vagrant@bosh-lite:$ cd cf-services-contrib-release
$ git checkout v6

vagrant@bosh-lite:/cf-services-contrib-release$ templates/make_manifest warden
vagrant@bosh-lite:/cf-services-contrib-release$ bosh -n deploy
vagrant@bosh-lite:~/cf-services-contrib-release$ cf marketplace
Getting services from marketplace in org myorg / space mydept as admin...
OK

service plans description
mongodb default MongoDB NoSQL database
postgresql default PostgreSQL database
rabbitmq default RabbitMQ message queue
redis default Redis key-value store

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service-auth-token mongodb core c1oudc0w
Creating service auth token as admin...
OK
Support for the v1 Service Broker API is deprecated and will be removed in the next major version of Cloud Foundry. Consider upgrading your broker to implement the v2 Service Broker API.

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service-auth-token postgresql core c1oudc0w
Creating service auth token as admin...
OK
Support for the v1 Service Broker API is deprecated and will be removed in the next major version of Cloud Foundry. Consider upgrading your broker to implement the v2 Service Broker API.

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service-auth-token rabbitmq core c1oudc0w
Creating service auth token as admin...
OK
Support for the v1 Service Broker API is deprecated and will be removed in the next major version of Cloud Foundry. Consider upgrading your broker to implement the v2 Service Broker API.

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service-auth-token redis core c1oudc0w
Creating service auth token as admin...
OK
Support for the v1 Service Broker API is deprecated and will be removed in the next major version of Cloud Foundry. Consider upgrading your broker to implement the v2 Service Broker API.

vagrant@bosh-lite:~/cf-services-contrib-release$ cf enable-service-access mongodb
Enabling access to all plans of service mongodb for all orgs as admin...
All plans of the service are already accessible for all orgs
OK

vagrant@bosh-lite:~/cf-services-contrib-release$ cf enable-service-access postgresql
Enabling access to all plans of service postgresql for all orgs as admin...
All plans of the service are already accessible for all orgs
OK

vagrant@bosh-lite:/cf-services-contrib-release$ cf enable-service-access rabbitmq
Enabling access to all plans of service rabbitmq for all orgs as admin...
All plans of the service are already accessible for all orgs
OK
vagrant@bosh-lite:/cf-services-contrib-release$ cf enable-service-access redis
Enabling access to all plans of service redis for all orgs as admin...
All plans of the service are already accessible for all orgs
OK

vagrant@bosh-lite:~/cf-services-contrib-release$ cf service-access
getting service access as admin...

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service redis default my-redis1
Creating service my-redis1 in org myorg / space mydept as admin...
FAILED
Server error, status code: 500, error code: 10001, message: An unknown error occurred.

vagrant@bosh-lite:~/cf-services-contrib-release$ cf create-service redis default my-redis1 CF_TRACE=true
FAILED
Incorrect Usage.

NAME:
create-service - Create a service instance

ALIAS:
cs

USAGE:
cf create-service SERVICE PLAN SERVICE_INSTANCE

EXAMPLE:
cf create-service cleardb spark clear-db-mine

TIP:
Use 'cf create-user-provided-service' to make user-provided services available to cf apps

vagrant@bosh-lite:~/cf-services-contrib-release$ cf -v
cf version 6.6.1-b2cdb2b-2014-09-23T23:07:12+00:00

vagrant@bosh-lite:~/cf-services-contrib-release$ cf service-access
getting service access as admin...

vagrant@bosh-lite:~/cf-services-contrib-release$ cf curl /v2/info
{
"name": "vcap",
"build": "2222",
"support": "http://support.cloudfoundry.com",
"version": 2,
"description": "Cloud Foundry sponsored by Pivotal",
"authorization_endpoint": "http://login.10.244.0.34.xip.io",
"token_endpoint": "https://uaa.10.244.0.34.xip.io",
"api_version": "2.18.0",
"logging_endpoint": "wss://loggregator.10.244.0.34.xip.io:443"
}

vagrant@bosh-lite:/cf-services-contrib-release$ cf curl /v2/info
{
"name": "vcap",
"build": "2222",
"support": "http://support.cloudfoundry.com",
"version": 2,
"description": "Cloud Foundry sponsored by Pivotal",
"authorization_endpoint": "http://login.10.244.0.34.xip.io",
"token_endpoint": "https://uaa.10.244.0.34.xip.io",
"api_version": "2.18.0",
"logging_endpoint": "wss://loggregator.10.244.0.34.xip.io:443"
}
vagrant@bosh-lite:/cf-services-contrib-release$ cf curl /v2/service_plans -X 'GET'
{
"total_results": 4,
"total_pages": 1,
"prev_url": null,
"next_url": null,
"resources": [
{
"metadata": {
"guid": "6e0c12aa-c547-427e-83ec-5a2de5536dca",
"url": "/v2/service_plans/6e0c12aa-c547-427e-83ec-5a2de5536dca",
"created_at": "2015-09-03T17:40:45+00:00",
"updated_at": "2015-09-03T20:55:42+00:00"
},
"entity": {
"name": "default",
"free": true,
"description": "Developer, 250MB storage, 10 connections",
"service_guid": "4e71ab56-1661-4a44-a9b6-620d82e5cc23",
"extra": "",
"unique_id": "default-acc65758-191f-4cc7-a295-34a11e731b01",
"public": true,
"active": true,
"service_url": "/v2/services/4e71ab56-1661-4a44-a9b6-620d82e5cc23",
"service_instances_url": "/v2/service_plans/6e0c12aa-c547-427e-83ec-5a2de5536dca/service_instances"
}
},
{
"metadata": {
"guid": "f5566c05-8165-43f4-9867-27fada9a6e66",
"url": "/v2/service_plans/f5566c05-8165-43f4-9867-27fada9a6e66",
"created_at": "2015-09-03T17:40:50+00:00",
"updated_at": "2015-09-03T20:55:39+00:00"
},
"entity": {
"name": "default",
"free": true,
"description": "Developer, shared VM, 250MB storage, 10 connections",
"service_guid": "12f51c6b-c16c-46e2-9672-1b13631f3550",
"extra": "",
"unique_id": "default-8f4af9f9-0f29-4957-87a3-1039ce983ede",
"public": true,
"active": true,
"service_url": "/v2/services/12f51c6b-c16c-46e2-9672-1b13631f3550",
"service_instances_url": "/v2/service_plans/f5566c05-8165-43f4-9867-27fada9a6e66/service_instances"
}
},
{
"metadata": {
"guid": "37214276-cf04-4c45-a927-6816f028818a",
"url": "/v2/service_plans/37214276-cf04-4c45-a927-6816f028818a",
"created_at": "2015-09-03T17:41:23+00:00",
"updated_at": "2015-09-03T20:55:42+00:00"
},
"entity": {
"name": "default",
"free": true,
"description": "Developer, 250MB storage, 10 connections",
"service_guid": "6d615670-a3cd-41cb-9fc1-31cb8cbadc8b",
"extra": "",
"unique_id": "default-b98ab4cc-53e3-44a0-a53b-f09d7827f950",
"public": true,
"active": true,
"service_url": "/v2/services/6d615670-a3cd-41cb-9fc1-31cb8cbadc8b",
"service_instances_url": "/v2/service_plans/37214276-cf04-4c45-a927-6816f028818a/service_instances"
}
},
{
"metadata": {
"guid": "2a201849-b3c2-40ef-9279-d4116614c3cf",
"url": "/v2/service_plans/2a201849-b3c2-40ef-9279-d4116614c3cf",
"created_at": "2015-09-03T17:41:25+00:00",
"updated_at": "2015-09-03T20:55:43+00:00"
},
"entity": {
"name": "default",
"free": true,
"description": "Developer, 250MB storage, 100 connections",
"service_guid": "b55fb809-e2c9-41c6-9eec-82c4850aa335",
"extra": "",
"unique_id": "default-bfd55f2a-25c8-4444-9200-4e7d2d443467",
"public": true,
"active": true,
"service_url": "/v2/services/b55fb809-e2c9-41c6-9eec-82c4850aa335",
"service_instances_url": "/v2/service_plans/2a201849-b3c2-40ef-9279-d4116614c3cf/service_instances"
}
}
]
}
vagrant@bosh-lite:~/cf-services-contrib-release$

[Gangabhavani]

I have got the same issue.Resolved by deleting the existing service-auth-token and recreating it using the provider "core".

[githubfp]

Thank you so much Gangabhavani for your reply on this one - As I mentioned in my previous msg this is my first attempt to deploy the services on a local CF config so I just followed the instructions posted on https://github.com/cloudfoundry-community/cf-services-contrib-release

$ cf create-service-auth-token core
• label: the name of the package
• token: the token you provided in your deployment file
going a bit further it looks like these tokens are brought in by

templates/make_manifest warden

which is actually doing a ‘spiff merge’ of the following files:
spiff merge
$templates/deployment.yml
$templates/jobs.yml
$templates/properties.yml
$templates/infrastructure-${infrastructure}.yml
$tmpdir/stub-with-uuid.yml
$* > $tmpdir/$NAME-manifest.yml

At a closer look, it looks like those tokens are actually coming from the above mentioned files ‘/templates/infrastructure-warden.yml’ and apparently they seem to be (by default) set to ‘c1oudc0w’ (at least that’s what I can see on my folder and that’s also what I can see on the https://github.com/cloudfoundry-community/cf-services-contrib-release templates too)

vagrant@bosh-lite:~/cf-services-contrib-release$ cat templates/infrastructure-warden.yml | grep token
token: c1oudc0w
token: c1oudc0w
token: c1oudc0w
token: c1oudc0w

Provided that, at this stage, I am running just a POC, I didn’t customize so far anything and so, I just tried to use the values referenced in the manifest file by default – are there any another ‘provider’ tokens values I should use in this case ? any directions on how/where to look for these provider ‘token’ values would begreatly appreciated

[amaltson]

@githubfp you're a life saver, those were the tokens I was looking for! 👍

[florianpopovici]

I am pleased if my post helped in any way --- unfortunately, in my case, the process listed above didn't work at all, I am still stuck when trying to run 'cf create-services' - any help on that would be greatly appreciated

[rkoster]

The default service auth tokens when running on bosh-lite can indeed be found here. The registration of of the service auth tokens for bosh-lite can also be achieved by running rake setup.

[florianpopovici]

hello rkoster - thanks a lot for your input
as I mentioned before this is my very first attempt to deploy CF so I might be missing things in there - anyway, in my case , the all process seems to work fine, except the 'create-service' which is constantly returning 'incorrect usage' error ... thought that doesn’t seem to be about any syntax error ... any idea on what/where I should look for would be greatly appreciated

cf marketplace
Getting services from marketplace in org myorg / space mydept as admin...
OK

service plans description
mongodb default MongoDB NoSQL database
postgresql default PostgreSQL database
rabbitmq default RabbitMQ message queue
redis default Redis key-value store

cf create-service-auth-token mongodb core c1oudc0w (does work fine)
cf create-service-auth-token postgresql core c1oudc0w (does work fine)
cf create-service-auth-token rabbitmq core c1oudc0w (does work fine)
cf create-service-auth-token redis core c1oudc0w (does work fine)

cf enable-service-access mongodb (does work fine)
cf enable-service-access postgresql (does work fine)
cf enable-service-access rabbitmq (does work fine)
cf enable-service-access redis (does work fine)

cf create-service mongodb default my-mongodb CF_TRACE=true
FAILED
Incorrect Usage.

NAME:
create-service - Create a service instance

ALIAS:
cs

USAGE:
cf create-service SERVICE PLAN SERVICE_INSTANCE

EXAMPLE:
cf create-service cleardb spark clear-db-mine

TIP:

Use 'cf create-user-provided-service' to make user-provided services available to cf apps

[rkoster]

Have you tried: CF_TRACE=true cf create-service mongodb default my-mongodb?

[florianpopovici]

here's the output ... if you could see somehting where I could start digging that would be really appreciated .. many thanks in advance!

vagrant@agent-id-bosh-0:~$ CF_TRACE=true cf create-service mongodb default my-mongodb

VERSION:
6.6.1-b2cdb2b

Creating service my-mongodb in org myorg / space mydept as admin...

REQUEST: [2015-09-21T14:34:34Z]
GET /v2/spaces/f868f5b4-b131-4cf6-886b-8957961d7e5d/services?q=label%3Amongodb&inline-relations-depth=1 HTTP/1.1
Host: api.10.244.0.34.xip.io
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/json
User-Agent: go-cli 6.6.1-b2cdb2b / linux

RESPONSE: [2015-09-21T14:34:34Z]
HTTP/1.1 401 Unauthorized
Content-Length: 97
Content-Type: application/json;charset=utf-8
Date: Mon, 21 Sep 2015 14:34:34 GMT
Server: nginx
X-Cf-Requestid: 5104ff6d-de84-4ca9-55e4-5ca556dadcc6
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: 463a6983-adc5-4fff-742e-8fe29bf65da8::bb0ddf54-1d9e-4733-a901-d33077a7c481

{
"code": 1000,
"description": "Invalid Auth Token",
"error_code": "CF-InvalidAuthToken"
}

REQUEST: [2015-09-21T14:34:34Z]
POST /oauth/token HTTP/1.1
Host: login.10.244.0.34.xip.io
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/x-www-form-urlencoded
User-Agent: go-cli 6.6.1-b2cdb2b / linux

grant_type=refresh_token&refresh_token=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIwZThkOWIwNy01MmQ0LTQzODgtOGYxOC01ZDQyZjZjNGQ4ZDYiLCJzdWIiOiIxY2UzZWVjMi02MmQzLTRmYzgtOTM1Yi1mZWRkYjFlZDIyYzgiLCJzY29wZSI6WyJzY2ltLnJlYWQiLCJzY2ltLnVzZXJpZHMiLCJjbG91ZF9jb250cm9sbGVyLmFkbWluIiwic2NpbS53cml0ZSIsImNsb3VkX2NvbnRyb2xsZXIud3JpdGUiLCJwYXNzd29yZC53cml0ZSIsIm9wZW5pZCIsImNsb3VkX2NvbnRyb2xsZXIucmVhZCIsImRvcHBsZXIuZmlyZWhvc2UiXSwiaWF0IjoxNDQyODQ0MjcxLCJleHAiOjE0NDU0MzYyNzEsImNpZCI6ImNmIiwiaXNzIjoiaHR0cHM6Ly91YWEuMTAuMjQ0LjAuMzQueGlwLmlvL29hdXRoL3Rva2VuIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJ1c2VyX2lkIjoiMWNlM2VlYzItNjJkMy00ZmM4LTkzNWItZmVkZGIxZWQyMmM4IiwiYXVkIjpbInNjaW0iLCJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiLCJvcGVuaWQiLCJkb3BwbGVyIl19.LURCff3QJVbD2or1-OAvVDorFfERSuLJYpoe7Flyefe0jP2-OoVcqqkezX3zULwPc7nLr31jM9rVuxYPPyplbM53kmQ4pjd28i4j3l3nsvAIUlysHLbBPF8o6ljuAHjKMFF0lNpoDHdQ44kqQI0vd2YxLe1urWK6soZyjZci0TM&scope=

RESPONSE: [2015-09-21T14:34:39Z]
HTTP/1.1 200 OK
Connection: close
Content-Length: 2071
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: no-store
Content-Type: application/json;charset=UTF-8
Date: Mon, 21 Sep 2015 14:34:39 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Pragma: no-cache
Server: Apache-Coyote/1.1
X-Cf-Requestid: 77645f19-d8e0-4da9-41cb-84133baa2ad0
X-Cf-Requestid: 614f7366-84be-4bc4-7491-826b5ce41c18
X-Frame-Options: DENY

{"access_token":"[PRIVATE DATA HIDDEN]","token_type":"bearer","refresh_token":"[PRIVATE DATA HIDDEN]","expires_in":599,"scope":"scim.userids scim.read cloud_controller.admin password.write scim.write openid cloud_controller.write cloud_controller.read doppler.firehose","jti":"d033accb-52da-454e-8494-10efc262bced"}

REQUEST: [2015-09-21T14:34:39Z]
GET /v2/spaces/f868f5b4-b131-4cf6-886b-8957961d7e5d/services?q=label%3Amongodb&inline-relations-depth=1 HTTP/1.1
Host: api.10.244.0.34.xip.io
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/json
User-Agent: go-cli 6.6.1-b2cdb2b / linux

RESPONSE: [2015-09-21T14:34:39Z]
HTTP/1.1 200 OK
Content-Length: 2137
Content-Type: application/json;charset=utf-8
Date: Mon, 21 Sep 2015 14:34:39 GMT
Server: nginx
X-Cf-Requestid: d0ef0a82-0283-462f-5708-a4711f11d610
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: 37b73f2b-e0a3-4cd9-6151-2b46786413cb::1ffc1d34-663f-45d5-a478-37a1ec198d40

{
"total_results": 1,
"total_pages": 1,
"prev_url": null,
"next_url": null,
"resources": [
{
"metadata": {
"guid": "12f51c6b-c16c-46e2-9672-1b13631f3550",
"url": "/v2/services/12f51c6b-c16c-46e2-9672-1b13631f3550",
"created_at": "2015-09-03T17:40:45+00:00",
"updated_at": "2015-09-21T14:34:31+00:00"
},
"entity": {
"label": "mongodb",
"provider": "core",
"url": "http://10.244.1.2:37611",
"description": "MongoDB NoSQL database",
"long_description": null,
"version": "2.2",
"info_url": null,
"active": true,
"bindable": true,
"unique_id": "8f4af9f9-0f29-4957-87a3-1039ce983ede",
"extra": "{"listing":{"imageUrl":null,"blurb":null},"provider":{"name":"Core"}}",
"tags": [
"nosql",
"document",
"mongodb"
],
"requires": [

    ],
    "documentation_url": null,
    "service_broker_guid": null,
    "plan_updateable": false,
    "service_plans_url": "/v2/services/12f51c6b-c16c-46e2-9672-1b13631f3550/service_plans",
    "service_plans": [
      {
        "metadata": {
          "guid": "f5566c05-8165-43f4-9867-27fada9a6e66",
          "url": "/v2/service_plans/f5566c05-8165-43f4-9867-27fada9a6e66",
          "created_at": "2015-09-03T17:40:50+00:00",
          "updated_at": "2015-09-21T14:34:36+00:00"
        },
        "entity": {
          "name": "default",
          "free": true,
          "description": "Developer, shared VM, 250MB storage, 10 connections",
          "service_guid": "12f51c6b-c16c-46e2-9672-1b13631f3550",
          "extra": "",
          "unique_id": "default-8f4af9f9-0f29-4957-87a3-1039ce983ede",
          "public": true,
          "active": true,
          "service_url": "/v2/services/12f51c6b-c16c-46e2-9672-1b13631f3550",
          "service_instances_url": "/v2/service_plans/f5566c05-8165-43f4-9867-27fada9a6e66/service_instances"
        }
      }
    ]
  }
}

]
}

REQUEST: [2015-09-21T14:34:39Z]
POST /v2/service_instances HTTP/1.1
Host: api.10.244.0.34.xip.io
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/json
User-Agent: go-cli 6.6.1-b2cdb2b / linux

{"name":"my-mongodb","service_plan_guid":"f5566c05-8165-43f4-9867-27fada9a6e66","space_guid":"f868f5b4-b131-4cf6-886b-8957961d7e5d", "async": true}

RESPONSE: [2015-09-21T14:34:40Z]
HTTP/1.1 500 Internal Server Error
Content-Length: 99
Content-Type: application/json;charset=utf-8
Date: Mon, 21 Sep 2015 14:34:40 GMT
Server: nginx
X-Cf-Requestid: 52e95de7-4249-437c-5167-8d0dafc858e9
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: b468b17b-86d8-44b0-7495-c83612f49add::a0ba32f1-0f30-4d92-bcd1-001ffe09f524

{
"error_code": "UnknownError",
"description": "An unknown error occurred.",
"code": 10001
}

FAILED
Server error, status code: 500, error code: 10001, message: An unknown error occurred.
FAILED
Server error, status code: 500, error code: 10001, message: An unknown error occurred.
vagrant@agent-id-bosh-0:~$

[rkoster]

From the above:

{
"code": 1000,
"description": "Invalid Auth Token",
"error_code": "CF-InvalidAuthToken"
}

Looks interesting, can you verify your auth tokens are created (cf service-auth-tokens).
Also can you grep your bosh deployment manifest for the string token? And verify your token is indeed c1oudc0w?

[florianpopovici]

u right ... that's a bit of a surprize .. would it have been possible to run 'create-service-auth-token' without referencing the correct token ?

vagrant@agent-id-bosh-0:~$ cf service-auth-tokens
Getting service auth tokens as admin...
OK

label provider
mongodb core
postgresql core
rabbitmq core
redis core
Support for the v1 Service Broker API is deprecated and will be removed in the next major version of Cloud Foundry. Consider upgrading your broker to implement the v2 Service Broker API.
vagrant@agent-id-bosh-0:$
vagrant@agent-id-bosh-0:/cf-services-contrib-release$ cat templates/contrib-services-warden-manifest.yml | grep token
token: c1oudc0w
token: c1oudc0w
token: c1oudc0w
token: c1oudc0w